Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

Transcription

1 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide July

2 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement NetIQ Corporation. All Rights Reserved. For information about NetIQ trademarks, see

3 Contents About this Book and the Library 7 About NetIQ Corporation 9 1 Introduction to Deploying or Upgrading the Appliance 11 2 Requirements Appliance Requirements CSV File Requirements Password Requirements Understanding How the Account Management Service Handles Password Understanding the Password Policy Appliance Installation Worksheet Deploying and Initializing the Account Management Service Appliance Providing a Link to the Appliance for Your Tenants Deploying the Appliance Determining which OVF File to Use Importing an OVF File with DHCP Importing an OVF File without DHCP Initializing the Appliance Getting Started Logging In to the Tenant Console Accessing the Account Management Service Appliance Administration Console Registering the Appliance Understanding the Status Icons Viewing Recommended Actions Configuring the Appliance Configuring Network Options Configuring the Forward Proxy Configuring the Routing Table Changing the Certificates on the Appliance Configuring Clustering for the Appliance Advantages of Clustering Managing Nodes in the Cluster Configuring an L4 Switch for Clustering Importing Data 31 7 Mapping Schema Schema Mapping for the Connector for LDAP Schema Mapping for the Connector for JDBC Contents 3

4 8 Populating Identity Data Exporting Identity Data to a CSV File Populating Identity Data to the IdentityAccess Service Populating Identity Data to a JDBC Database Meeting the Requirements Obtaining the Script Files Configuring the Connector for JDBC Populating the JDBC Database Populating Identity Data to LDAP Directories Meeting the Requirements Configuring the Connector for LDAP Mapping Authorizations Prerequisites Loading Authorizations Reloading Authorizations Mapping Authorizations Configuring Account Claim for Users Configuring Self-Service User Store for Account Claim Using the Account Claim Service Using Identity Manager Drivers Restrictions for the Identity Manager Drivers Importing the Identity Manager Drivers Exporting or Publishing the Connector Template Displaying Connectors for Tenants Configuring the Identity Manager Drivers Reporting Viewing Users and Groups Using Google Analytics as an External Dashboard Configuring the Appliance to Forward Events to Sentinel Log Manager Configuring the Appliance to Forward Events to a Syslog Server Maintenance Tasks Configuring Session Timeouts Changing the IP Address Changing Public DNS Name or NTP Server Settings, or Uploading New Certificates Updating the Appliance Shutting Down or Rebooting a Node Recovering from a Disaster Upgrading the Appliance Troubleshooting Troubleshooting the Appliance Initialization Displaying Health Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

5 15.3 Using Troubleshooting Tools Troubleshooting Different States Master Node Health Front Panel of the Node Top of the Node Tools Troubleshooting Networking Issues Troubleshooting the Connector for LDAP Troubleshooting Automatic s for Users Passwords Contents 5

6 6 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

7 About this Book and the Library The Identity as a Service Powered by NetIQ Account Management Service Installation and Configuration Guide provides installation and configuration information for the Account Management Service. Intended Audience This book provides information for providers and tenants that deploy and configure the Account Management Service appliance. Other Information in the Library The library provides the following information resources: Identity as a Service Powered by NetIQ Solution Overview Guide Provides overview and architectural information about the services included in the Identity as a Service Powered by NetIQ solution. Identity as a Service Powered by NetIQ Services Director Installation Guide Provides detailed planning and installation information for the Services Director. Identity as a Service Powered by NetIQ Provider Administration Guide Provides step-by-step guidance for the many tasks a provider performs for tenants. The guide also contains information on how to manage and maintain your Services Director. Identity as a Service Powered by NetIQ Tenant Administration Guide Provides step-by-step guidance for the tasks a tenant performs. Identity as a Service Powered by NetIQ IdentityAccess Service Installation Guide Provides detailed installation information for the IdentityAccess Service appliance. Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide Provides detailed configuration and administration information for the IdentityAccess Service appliance. Identity as a Service Powered by NetIQ IdentityAccess Service Connectors Guide Provides detailed installation and configuration information for the connectors that you use with the IdentityAccess Service appliance. Identity as a Service Powered by NetIQ IdentityAccess Service Mobile Users QuickStart Contains basic steps for the users to configure and use the MobileAccess service that is part of the IdentityAccess Service. About this Book and the Library 7

8 Identity as a Service Powered by NetIQ Privileged Account Manager Service Guide Provides installation and configuration information on how to make NetIQ Privileged Account Manager a service that the Services Director hosts. Identity as a Service Powered by NetIQ Technical References Provide more detailed information about different features of the Identity as a Service Powered by NetIQ solution. Help Provides context-sensitive information and step-by-step guidance for common tasks. 8 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

9 About NetIQ Corporation We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk and how we can help you control them. Our Viewpoint Adapting to change and managing complexity and risk are nothing new In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments. Enabling critical business services, better and faster We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services. Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex. Our Philosophy Selling intelligent solutions, not just software In order to provide reliable control, we first make sure we understand the real-world scenarios in which IT organizations like yours operate day in and day out. That's the only way we can develop practical, intelligent IT solutions that successfully yield proven, measurable results. And that's so much more rewarding than simply selling software. Driving your success is our passion We place your success at the heart of how we do business. From product inception to deployment, we understand that you need IT solutions that work well and integrate seamlessly with your existing investments; you need ongoing support and training post-deployment; and you need someone that is truly easy to work with for a change. Ultimately, when you succeed, we all succeed. Our Solutions Identity & Access Governance Access Management Security Management Systems & Application Management Workload Management Service Management About NetIQ Corporation 9

10 Contacting Sales Support For questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team. Worldwide: United States and Canada: Website: Contacting Technical Support For specific product issues, contact our Technical Support team. Worldwide: North and South America: Europe, Middle East, and Africa: +353 (0) Website: Contacting Documentation Support Our goal is to provide documentation that meets your needs. The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at documentation. You can also Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you. Contacting the Online User Community NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely. For more information, visit 10 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

11 1 1Introduction to Deploying or Upgrading the Appliance The NetIQ Account Management Service allows you to import your identity data, more than likely from an HR system, in to a flat, defined structure. It then allows you to use that identity data to populate connect systems including IdentityAccess Service. For more information, see NetIQ Account Management Service Architecture in the Identity as a Service Powered by NetIQ Solution Overview Guide. If this if the first deployment of the appliance, ensure that you meet all of the requirements before deploying the appliance. For more information see Chapter 2, Requirements, on page 13. If you have deployed the appliance, there are two different ways to update the software for the appliance: Update: An update allows you to update the software on the appliance if there is a change in the minor versions or if there are security updates. For example, you can update the appliance from 2.1 to 2.2. For more information, see Section 13.4, Updating the Appliance, on page 56. Upgrade: An upgrade is for a major version change of the appliance. For example, you must perform an upgrade from version 2.2 to version 3.0. The upgrade process is different from the update process. For more information, see Chapter 14, Upgrading the Appliance, on page 59. Introduction to Deploying or Upgrading the Appliance 11

13 2 2Requirements The Account Management Service is an appliance that you must deploy for each tenant to use this service. The appliance is an OVF file. Review the requirements in this section before deploying the appliance. 2.1 Appliance Requirements Verify you meet the following requirements before starting the installation of the appliances. Table 2-1 Account Management Service Appliance Requirements Components Supported Virtual Environments Virtual System Guest Requirements Cluster Requirements Hyper-V in Windows Server 2012 R2 VMware vsphere and vsphere Hypervisor 5.0 VMware vsphere and vsphere Hypervisor 5.5 Minimum hardware requirements for each appliance node in the cluster: 60 GB disk space 2 Cores 8 GB RAM A best practice is to group or separate virtual machines on hosts and data stores to avoid resource conflicts for CPU, disk I/O, and network bandwidth. Supported cluster configuration: Up to a five-node cluster For optimal performance, each node should reside in the same IP subnet NOTE: The L4 switch must be configured with the publicly resolvable DNS of the cluster before you initialize the appliance. Browsers Administration: Supported browsers for administration tasks: Mozilla Firefox on Windows 7 or 8.1 Google Chrome on Windows 7 or 8.1 Microsoft Internet Explorer 11 on Windows 7 or 8.1 Apple Safari on OS X Mavericks or later You must disable pop-up blockers to access the administration consoles. NOTE: Administration tasks are not supported on mobile devices. NOTE: If you experience any issues with a supported browser, ensure that you have the latest version of the browser installed, or try another supported browser. Administering the appliance with Internet Explorer might be slower than with other supported browsers. Requirements 13

14 2.2 CSV File Requirements The Account Management Services appliance requires that the CSV file contains certain fields. There are only two required fields: UserName and LastName. The CSV fields are the defined schema for the CSV file. For more information, see Chapter 7, Mapping Schema, on page 33. The following is a list of all of the supported fields for the CSV field in the Account Management Service appliance. The fields are comma delimited and the fields are case sensitive. AccessCardNumber City Company CostCenter CostCenterDescription Country Department Description DepartmentNumber EmployeeStatus EmployeeType FaxNumber FirstName FullName GenerationalQualifier Group InstantMessengerID JobCode LastName Location Mailstop ManagerWorkforceID MiddleInitial MobileNumber OfficeNumber PagerNumber Password POBox PostalCode PreferredLanguage PreferredName Prefix State 14 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

15 StreetAddress TelephoneNumber Title UserName WorkforceID The Group field is an optional field. If the Group field is present in the CSV file, Account Management Service creates the group, then it designates the user as a member of the group. You can use multiple groups, and multiple input records in the same CSV file with different group values. For example: UserName,LastName,FirstName,Password,Group inputuser1,user1,input1,mysecret,group7 inputuser1,user1,input1,mysecret,group8 The example adds the inputuser1 in to group7 and group8. The Password field is also an optional field. Depending on whether you use this field or use the Account Claim feature, the appliance handles passwords differently. For more information, see Section 2.3, Password Requirements, on page Password Requirements Account Management Service automatically handles users passwords. However, you need to understand how the appliance handles the passwords. Also the appliance contains a password policy that users must follow when setting their own passwords through the account claim process Understanding How the Account Management Service Handles Password Account Management Service manages user account including passwords for the users. The appliance can import users passwords through the CSV file. If you use the Password field, Account Management Service sets the user s password to the value you enter in the CSV file. If you do not use the Password field, Account Management Service sets the imported user s password to a random, 12 character alpha-numeric password on the initial import. In order for Account Management Service to create the users, the appliance must set a value for each user s password. This password is temporary, whether it came from the CSV file or the appliance generated it. Account Management Service stores a copy of the users and their passwords in the local identity store. These passwords are temporary and each user changes their password through the account claim feature of Account Management Service. For more information, see Chapter 10, Configuring Account Claim for Users, on page 45. If you configured Account Management Service to automatically trigger any provisioning activity when the CSV file import occurs, Account Management Service sets the temporary password for the user in the connected system. When the user changes their password, Account Management Service synchronizes the password change to the connected system. Requirements 15

16 2.3.2 Understanding the Password Policy Account Management Service contains a password policy that users must follow when changing their passwords through the account claims feature. The users access the URL ( appliance_dns_name/ssus) provided through the automatic s to change their password. The users passwords must meet the following criteria: The password is case sensitive. Must be at least six character long. Must not include any of the following values: password test Must not include part of your name or your user name. Must not include a common word or commonly used sequence of characters. You cannot change the password policy and the users see the password policy when they change their password. 2.4 Appliance Installation Worksheet Use the following worksheet to gather the required information to install and configure the appliance. Table 2-2 Appliance Installation Worksheet Networking Information Your Information Publicly resolvable DNS name for the appliance NTP server DNS server, subnet mask, and gateway (Recommended) An SSL certificate signed by a wellknown certificate authority (CA) Services Director DNS name of the Services Director The tenants name and password 16 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

17 3 3Deploying and Initializing the Account Management Service Appliance After you have installed the Services Director framework you can install the Account Management Service appliance. For more information, see Identity as a Service Powered by NetIQ Services Director Framework Installation Guide. 3.1 Providing a Link to the Appliance for Your Tenants You can provide a direct link to an FTP server for your tenants to be able to download the appliance VM image. To provide a download link: 1 Log in to the provider consoles as administrator. Director_DNS_Name/css/Provider 2 In the Security Services panel, click Account Management Service. 3 Click the Properties tab. 4 Click NCSService Component image Location. 5 Add the location of the VM image on your FTP server, then click Save. Tenants see a link to download the VM image when they log in to the tenant console. The tenant console displays the link in the Security Services panel. 3.2 Deploying the Appliance The appliance is an Open Virtualization Format (OVF) virtual appliance that you must deploy to your host server. NetIQ provides OVF files of the virtual images. Use the following sections to launch the appropriate virtual image on your host server Determining which OVF File to Use NetIQ provides different OVF files for the different versions of VMWare and whether you have DHCP or not in your environment. After you have downloaded the appliance VM image, you must extract the file to access the available OVF file. Use the following table to determine which OVF file you need. Table 3-1 OVF Files File Name ams.trunk.ovf Description When you deploy Account Management Service in an environment with DHCP, use this file. For instructions, see Section 3.2.2, Importing an OVF File with DHCP, on page 18. Deploying and Initializing the Account Management Service Appliance 17

18 File Name ams.trunk-vcenter.ovf Description When you deploy Account Management Service in an environment without DHCP or you want to use VMware vcenter Server to configure the networking options, use this file. use this file. For instructions, see Section 3.2.3, Importing an OVF File without DHCP, on page Importing an OVF File with DHCP If you have DHCP in your environment, use this procedure. You can select to continue to use DHCP or assign a static IP address to the appliance during the initialization process. To import the OVF file: 1 Copy the cis.trunk-vcenter.ovf file to a Windows computer. For more information, see Section 3.2.1, Determining which OVF File to Use, on page On the Windows computer, run the VMware vsphere client. This client runs only on a Windows computer and is available for download from your ESX or ESXi server. To download the client, enter the IP address of the server as a URL in a browser, then log in. 3 From the toolbar, select File > Deploy OVF Template. 4 Follow the prompts to deploy the OVF file. TIP: If you deploy the appliance using the ovftool, you can configure the appliance properties from the command line and auto-start the VM so you do not have to use the vsphere client to configure the properties before starting the VM. 5 To start the VM image, in the toolbar, click Power on (green arrow icon). 6 To activate the mouse and keyboard for the console, click inside the console window. 7 Power on the appliance. The initial boot configures the appliance. The initial boot could take between five and twenty minutes for the configuration to complete. When the appliance is ready, it displays a welcome message with the initialization URL Importing an OVF File without DHCP If you want to use VMware vcenter Server or if you do not have DHCP available in your environment, use this procedure. By using the OVF template, you can define your IP address and any additional network setting through VMware vcenter Server. When the initialization for the appliance occurs, the template has already configured your networking settings. To import the OVF file: 1 Copy the cis.trunk.ovf file to a Windows computer. For more information, see Section 3.2.1, Determining which OVF File to Use, on page On the Windows computer, run the VMware vcenter client for vsphere. This client runs only on a Windows computer and is available for download from your vsphere or vsphere Hypervisor server. 18 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

19 To download the client, enter the IP address of the server as a URL in a browser, then log in. 3 From the toolbar, select File > Deploy OVF Template. 4 Follow the prompts. 5 In the Properties step, select auto-configure, then specify your network configuration information for the VM image. 6 Continue following the prompts. 7 Power on the appliance. The initial boot configures the appliance. The initial boot could take between five and twenty minutes for the configuration to complete. When the appliance is ready, it displays a welcome message with the initialization URL Initializing the Appliance Before initializing the appliance, verify that you meet the requirements listed in Chapter 2, Requirements, on page 13. To initialize the appliance: 1 From a supported browser, access the initialization web interface at the URL displayed on the appliance screen after it is deployed. For example: NOTE: This URL is case-sensitive, so ensure that you enter the non-variable portions of the URL exactly as illustrated. 2 Use the following information to initialize the appliance. Join Cluster: Select Join Cluster only if you are initializing an appliance to add to an existing cluster. The first appliance that you configure automatically becomes the master node in the cluster Network: Use the following information to configure or validate your network settings. IP Address: Select whether to use a DHCP server to provide the networking information for the appliance or use a static IP address for the appliance. If you used the VMware vcenter Server OVF file, these fields are already populated. NTP: Specify a network time protocol server. Time must be synchronized between the appliances in the cluster. Cluster Information: Specify the public DNS name for the appliance. This DNS name is the login page URL for your the tenants users. Services Director: Specify the public DNS name of the Services Director, and the tenant administrator's name and password. 3 Click Finish. A successfully initialized appliance automatically redirects the browser to the tenant console login page at Director_DNS_Name/css/. 4 Log in to the tenant console as a tenant administrator. Whenever you make changes to the appliance, click Apply and wait for the appliance to finish applying your changes. Do not attempt to perform any other administration tasks in the console until the gears have stopped spinning on the Node icon. Deploying and Initializing the Account Management Service Appliance 19

21 4 4Getting Started The Services Director contains a management console for tenants called the tenant console. The tenant console allows tenants to access the administration console for any services provided to the tenant. For example, tenants access the Account Management Service administration console through the tenant console. 4.1 Logging In to the Tenant Console To log in to the tenant console: 1 From a browser on a client computer, enter the URL the provider gave you. 2 Specify the following credentials to log in: Name: Specify the address that you gave to the provider administrator to create your user account. Password: Specify the password for the account. The default value is the address you specified for the name. 3 (Conditional) If this is your first login, follow the prompts to change your password. The password must contain at least one number. 4.2 Accessing the Account Management Service Appliance Administration Console To access the Account Management Service appliance administration console: 1 Log in to the tenant console as a tenant administrator. 2 In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4.3 Registering the Appliance Account Management Service provides a 90-day trial period. If you do not register the appliance within 90 days after installation, the appliance stops working. The Bomb icon on the Admin page displays how many days are left in the trial period. For the purpose of meeting licensing requirements, when you register a single appliance, the cluster as a whole is considered to be registered. However, to use the Customer Center update channel to download and install software updates, you must register each node in the cluster separately. The Bomb icon remains on the Admin page if there are nodes in the cluster that have not yet been registered for channel updates. For more information about the update channel, see Section 13.4, Updating the Appliance, on page 56. To register your appliance: 1 Obtain the registration code from you NetIQ contact. Getting Started 21

22 You use the same registration code for all tenants. 2 Access the Admin page of the appliance. 2a Log in to the tenant console as a tenant administrator. 2b In the Security Services panel, next to Account Management Service, click the Launch administrative console icon. 3 In the Admin page, click the appliance, then click Register appliance. 4 Enter a valid address. The address is for notifications that updates are available. 5 Paste the registration code in the field. 6 Click Register. 7 Repeat Step 3 through Step 6 for each appliance in the cluster. 8 Repeat Step 1 through Step 7 for each tenant deployment of Account Management Service. When you have successfully registered all nodes in the cluster, the Bomb icon disappears. 4.4 Understanding the Status Icons The Services Director contains an embedded health system throughout the tenant console. In the different panels for the different components, there are colored status icons that have the following meanings: Green icons with a check mark indicate that the component is configured correctly and running as designed. Flashing green icons indicate that the component is working through its initialization process. In time, most flashing green icons change to a green icon. However, if an error occurs, the flashing green icon can change to a yellow or red icon. Red icons with an x indicate that a component is not functioning correctly. This can be because the component has not been configured, it is not communicating with the system, or it has been disabled. Gray icons indicate no components have been installed that currently meet the state. Blue icons with an i indicate informational alerts and messages. Yellow icons with an exclamation mark indicate warning items that probably need your attention. Red icons indicate conditions that need your attention because a component is not functioning correctly. 4.5 Viewing Recommended Actions The tenant console provides you with a list of recommended actions to maintain the health and functionality of your services. To view the recommended actions: 1 Log in to the tenant console as a tenant administrator. 2 In the System panel, click the link for the recommended action. 22 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

23 The Recommended Actions panel displays the current actions that need to be performed. When you are first configuring your system, this panel displays the next configuration actions that need to be performed. If multiple actions appear, they can be performed in any order. After you have performed the recommended action or actions, new actions might appear. Getting Started 23

25 5 5Configuring the Appliance The Account Management Service appliance allows you to configure different settings to make the appliance work best in your environment. 5.1 Configuring Network Options The Account Management Service appliance contains a manual routing table, supports two Network Interface Cards (NICs), and provides a forward proxy Configuring the Forward Proxy The forward proxy takes requests coming from the internal network and forwards these requests to the internet. NOTE: The forward proxy feature is intended only for testing purposes. The forward proxy is not supported in a production environment. To configure the forward proxy: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 In the Tools palette, drag the Forward Proxy icon to the Tools panel. 3 Use the following information to configure the forward proxy: Forward Proxy Server: Specify the IP address and port number for your proxy server. Ignore List: Specify any IP addresses with the associated DNS names that you want the forward proxy to ignore. For example, localhost. 4 Click OK to save your changes. Note that clicking OK causes the services to restart and you must log in to the appliance again Configuring the Routing Table The appliance provides a routing table for your use if your network has static routes. The routing table allows you to define the next hop in your network for the node in the cluster to reach the appropriate destination. To configure the routing table for each node: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. Configuring the Appliance 25

26 2 Click the Node icon, then select Configure. 3 Click the Routing tab. 4 Specify the appropriate Reverse Path Filter setting. Reverse path filtering is used to prevent packets that arrived through one interface from leaving through a different interface. If in doubt, leave the default setting of Strict mode, since it prevents users from spoofing IP addresses from local subnets and reduces the likelihood of distributed denial-of-service (DDoS) attacks. 5 Click the plus sign (+) icon to add a route. 6 Define the appropriate route, then click OK. 7 (Optional) Add additional routes. 8 Click Close. 9 Repeat Step 2 through Step 8 for each node in the cluster. 5.2 Changing the Certificates on the Appliance The appliance contains SSL and SAML self-generated certificates, by default both named ag4csrv1, but NetIQ highly recommends that you replace the default certificates with well-known Certificate Authority signed certificates. The required format for importing a key pair is.pfx. This format contains the private key, certificate, and trusted roots required to import. To change the certificates: 1 Access the Admin page of the appliance. 1a Log in to the tenant console as a tenant administrator. 1b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 2 Click the Cluster icon under Appliances, then click Configure. 3 Delete the default key pairs by clicking the red delete (X) icon next to the SSL key pair and the SAML key pair. 4 Browse to and select the certificates you want to use, then click OK. 5 In the Instructions window, click OK. 6 Click Apply and wait for the configuration changes to be applied to the appliance. Do not perform other administration tasks in the console while the changes are being applied. 7 Close your browser and reopen it to start a new session using the new key pairs. Expired key pair certificates prohibit changes from being made to this page and make the key pair field red. 5.3 Configuring Clustering for the Appliance You can cluster the Account Management Service appliance. By default, the appliance is a single node cluster, but the Services Director framework supports up to a five-node cluster. You add a node to the cluster by selecting Join Cluster during the initialization process Advantages of Clustering Clustering offers several advantages. Most of these advantages are available only if you configure an L4 switch or Round-robin DNS. The L4 switch is the best solution. 26 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

27 Disaster Recovery: Adding additional nodes to the cluster provides disaster recovery for your appliance. If one node stops running or becomes corrupt, you can promote another node to master. Scalability: Configuring an L4 switch with clustering increases the scalability of the appliance Managing Nodes in the Cluster The Services Director framework supports up to five nodes in a cluster. You add nodes to the cluster through the initialization process, and perform all other initialization tasks through the administration console. Adding a Node to the Cluster To add a node to the cluster: 1 Verify that the cluster is healthy. All nodes must be running and communicating. All components must be in a green state. All failed nodes must be removed from the cluster. For more information about verifying that your cluster is healthy, see Section 15.4, Troubleshooting Different States, on page Download and deploy a new virtual machine (VM) for the new node. For more information, see Section 3.2, Deploying the Appliance, on page You must now initialize the appliance. Select Join Cluster as the first step to initialize the new node, then follow the on-screen prompts. For more information, see Section 3.3, Initializing the Appliance, on page 19. When initialization is complete, the browser is redirected to the tenant console and a login page will appear. 4 Log in to the tenant console as a tenant administrator. 5 In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. The new appliance should be displayed in the cluster. Wait until all spinner icons stop processing and all components are green before performing any other tasks. The cluster is adding the node and there are several background processes running. This final step could take up to an hour to complete. Promoting a Node to Master The first node that you install is the master node of the cluster by default. The master node runs provisioning, reporting, and policy mapping services. You can promote any node to become the master node. To promote a node to master: 1 Verify that the cluster is healthy. For more information, see Section 15.4, Troubleshooting Different States, on page Take a snapshot of the cluster through your VMware tools. Configuring the Appliance 27

28 3 Access the Admin page of the appliance. 3a Log in to the tenant console as a tenant administrator. 3b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4 Click the node to become the master node on the administration console, then click Promote to master. An M appears on the front of the Node icon indicating it is now the master node. This process might take a while to complete. Watch for the Node spinner icons to stop and health indicators to turn green before proceeding with any additional configuration changes. The services move from the old master to the new master. The old master is now just a node in the cluster. WARNING If the old master node is down when you promote another node to master, remove the old master from the cluster, then delete it from the host server. Otherwise, the appliance sees two master nodes and becomes corrupted. When you switch the master node, the logs start again on the new master and reports start again on the new master. The historical logs are lost. The reporting data is also lost, unless you are using Sentinel Log Manager. For more information, see Section 12.3, Configuring the Appliance to Forward Events to Sentinel Log Manager, on page 52. Removing a Node from the Cluster You can remove a node from the cluster if something is wrong with the node. However, after you remove a node, you cannot add the same virtual image instance back into the cluster. You must delete this instance of the appliance from your host server, then deploy another instance to the host server to add a node back into the cluster. To remove a node from the cluster: 1 (Conditional) If the node you are removing is the master node, promote another node to be master before you remove the old node. For more information, see Promoting a Node to Master on page (Conditional) If you are using an L4 switch, delete the node from the L4 switch. For more information, see the L4 switch documentation. 3 Access the Admin page of the appliance. 3a Log in to the tenant console as a tenant administrator. 3b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4 On the Admin page, click the node you want to remove from the cluster. 5 Click Remove from cluster. The administration console immediately shows that the node is gone, but it takes some time for the background processes to finish. 6 Delete the instance of the node from the host server. 7 Delete the node from the tenant console. 7a In the Security Services panel, expand Account Management Service. 7b Delete the node you removed from the Admin page. 28 Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

29 5.3.3 Configuring an L4 Switch for Clustering If you want high availability or load balancing, you must configure an L4 switch for the appliance. An L4 switch can be configured in many different ways. Use the following recommendations to configure the L4 switch to work with the appliance. Heartbeat: Use the following URL to define the heartbeat for the L4 switch: The L4 switch uses the heartbeat to determine if the nodes in the cluster are running and working properly. The heartbeat URL returns a text message of Success and a 200 response code. Persistence: Also known as sticky sessions, persistence allows all subsequent requests from a client to be sent to the same node. To make this happen, select SSL session ID persistence When you configure the L4 switch. Persistence increases the performance of the appliance for the end users, by removing the delay that might occur if the client sends a request to a new node instead of using the existing session to the same node. Configuring the Appliance 29

31 6 6Importing Data Account Management Service allows you to import CSV files from HR systems or other sources to be the authoritative data source for the tenant. You can use Account Manage Service as a stand alone service for your tenant or you can use it in conjunction with IdentityAccess Service as another identity source. Most HR systems allow you export your user information into a CSV file. Account Management Service imports the CSV files for the identity data. To import the CSV files: 1 Export a CSV file from your HR system. 2 Verify that the CSV file matches the required CSV format. For more information, see Section 2.2, CSV File Requirements, on page 14. or You can map the fields in the CSV file when you configure the HR Feed collector. 3 Access the Admin page of the appliance. 3a Log in to the tenant console as a tenant administrator. 3b In the Security Services panel, next to the Account Management Service, click the Launch administrative console icon. 4 In the Identity Sources palette, drag the HR FEED collector to the Identity Sources panel. 5 Specify a unique name to display in the Admin page. 6 Browse to and select the CSV file. or Select Enable polling of HTTP URL location to poll for a CSV file on a web server so the input of changes is automatic. If you select this option, you must specify your web server information. 7 (Conditional) Select the Enable LDAP server option if you are using the Account Management Service appliance to populate your IdentityAccess Service appliance. The Account Management Service appliance default configuration is to have the LDAP ports disabled on the appliance. This options enables the default LDAP ports of 389 and 636 in the firewall on the Account Management Service appliance. With this option enabled, the IdentityAccess Service appliance can communicate with the Account Management Service appliance. 8 (Optional) Click Advanced Options, map the fields from your CSV file to the required mapping for the Account Management Service. 9 Click OK to save the configuration, then click Apply to commit the changes to the appliance. After you have imported the identity data you must add authorizations for each connector so that the identity data is populated in the connected systems. Proceed to Chapter 9, Mapping Authorizations, on page 43. Importing Data 31

33 7 7Mapping Schema The Account Management Service populates identity data from the CSV file into the connected systems. The CSV file comes from different applications and the connected systems are different applications. All of the applications involved in the synchronizations process contain a different schema. You must be able to map to the schema in the different applications for the identity information to be populated correctly by Account Management Service. It is a manually process to map the schema between the CSV file and the connected system. You must ensure that the fields in your CSV file match the schema defined in Account Management Service. You must also understand what the schema output is to the connected systems so that the identity data follows correctly. There is no tool to map the schema to ensure that the integrity of the internal schema on the Account Management Service appliance. If some how, you were able to change the internal schema, the identity data information would stop flowing between the CSV file and connected systems. The CSV schema is also listed in the requirements. If the CSV file does not match the listed schema, the identity data is not imported in to the appliance. For more information, see Section 2.2, CSV File Requirements, on page 14. The Account Management Service contains default connectors. Each connector has a different schema mapping. The following sections define the schema mapping between what must be in the CSV file and what the output is in the connected system. 7.1 Schema Mapping for the Connector for LDAP Use the following information to make any changes in your schema of the CSV file and what the output of the schema is for your LDAP directory. If your schema does not match the information in the CSV column, you must manually change your schema to match what is listed. The information in the LDAP columns lists the output schema into your LDAP directory. NOTE: All of the information listed in the table is case sensitive. Ensure that you use the proper case for all of the attributes listed. The CSV file is the export of your identity data from the HR system. The identity data in the CSV file contains fields that become attributes on the inetorgperson class in the LDAP directory. The following table shows what fields Account Management Service allows into the appliance and how the appliance maps the fields from the CSV file to the attributes in the LDAP directory. Table 7-1 Connector for LDAP Schema Mapping CSV Fields UserName FirstName LastName MiddleInitial LDAP Attributes CN givenname sn Initials Mapping Schema 33